Endpoint Analytics: Locate devices not enrolled with Windows Hello for Business


As promised, another use-case and example of Proactive Remediations in the new Endpoint Analytics feature in Microsoft Endpoint Manager (Intune).

In this example, I’m locating all devices, which currently are not making use of Windows Hello for Business, and display its logged on user a Toast Notification to remind them to get started.

If and when any organization is promoting and requiring the use of Windows Hello for Business, you will want to make sure that the users indeed are setting this up – and if not, nag them continuously until done.

Proactive Remediations

To get this started, head into the Endpoint analytics space of Microsoft Endpoint Manager:

  • Browse to Proactive remediations
  • Click + Create script package

Detection Script

The detection script, is the one doing the magic in locating devices not using Windows Hello for Business.

The script is available from my GitHub page: https://github.com/imabdk/Powershell/blob/master/Detect-WindowsHelloEnrollment.ps1

The detection script is going into the Detection script area where it’s mandatory.

Remediation script

  • NOTE: It’s not a requirement to be using a Remediation script. If you don’t intend to display the users a toast notification, simply leaving the remediation script blank will work. In this case, you can use the feature for the audit and monitoring possibilities.

The remediation script is my entire Windows 10 Toast Notification Script found here: https://www.imab.dk/windows-10-toast-notification-script/

Proactive Remediations doesn’t support passing parameters to the script, so in order for the Toast Notification Script to work, you will have to hard code the path to the config.xml file.

NOTE: Again, the Toast Notification Script has been modified to now support config.xml files being hosted online. Here, I’m hosting a config.xml in blob storage in Azure:

[string]$Config = “https://krpublicfiles.blob.core.windows.net/toastnotification/config-toast-whfb.xml”


Assignments is the last part of setting this up, as well as deciding how often the script will run.

I have a collection in Configuration Manager which is being synced to Microsoft Intune, and I’m running this every hour.

In Action

When everything is properly setup, you will see that the detection script finds devices which is not enrolled in Windows Hello for Business.

On those devices, a Toast Notification is displayed, similar to those toast examples in the beginning of this post.

Taking a closer look on IntuneManagementExtension.log (C:\ProgramData\Microsoft\IntuneManagementExtension\Logs) you will also notice the reason for the Toast Notification to be displayed:

[HS] lastLine of output = [Multiple SIDs]: Not good. PIN credential provider NOT found for LoggedOnUserSID. This indicates that the user is not enrolled into WHfB.

As well as when the Remeditation script is run, the Toast Notification Script writes an output when successfully displayed:

[HS] lastLine of output = All good. Toast notification was displayed


Whether you use this just for the monitoring possibilities, the device status page is quite clear about where to act.

In my example below, all the devices tagged as ‘With Issues’ are having a Toast Notification displayed, telling the logged on user to get going or face consequences.


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.